When working with threat intelligence, it's vital to collect indicators of compromise to be able to determine possible attack patterns. What could be catalogued as unusual network traffic? This is all traffic that is not being seen normally in the network, meaning that after building a frequence table all IP addresses shown less than 1% are suspicious and should be investigated.

What do we need to build a frequence table? We could use a sniffer and then process the network capture to speed things.

Another alternative is to use libpcap to gather information about the incoming protocols and the timestamp that packets were seen. For this diary, we will show a C program using libpcap that will take timestamp and the following information from protocols:

Protocol

Fields (CSV file)

Log file

TCP

year,month,day,hour,minute,second,source IP, source port

tcplog.csv

UDP

year,month,day,hour,minute,second,source IP, source port

udplog.csv

ICMP

year,month,day,hour,minute,second,source IP, ICMP Type number

icmplog.csv

How to we build the program?

We need to define all protocol headers: ethernet, IP, TCP, UDP and ICMP